After years of progress in disaster recovery and business continuity, advances are beginning to unravel in planning, communication and will. Is your company's risk management plan in line with the best practices in disaster recovery?

Business-Impact Analysis is the Key

Pelant and Sarabacha agree that the key to integrating IT with overall business-continuity planning and maintaining realistic RTOs is in running an effective business-impact analysis.

Just the act of getting IT disaster-recovery experts together with business-management and business-continuity planners to run an analysis will start cranking the gears of cooperation, Pelant says.

“By going through that process of doing the business-impact analysis and by understanding the interdepencies of the business, you start to realize that you depend upon other people,” he says. “So if you do the impact analysis right and you really focus on the fact that one cannot define one’s own importance, it will start to break down those silos.”

Pelant and Sarabacha believe that many organizations breeze through the business-impact analysis without putting enough thought into process priorities.

“It never ceases to amaze me that’s where real-time recovery objectives really come from,” Sarabacha says. “The industry touts business-impact analysis, … looks at each of these critical business processes and determines how long those can be done without the system and how long they can be completely not done after a disaster event. And that should drive the requirements for IT. Inevitably, I talk to the CEOs and the head of IT disaster recovery, and they say, ‘well, we kind of took a look at it, basically, and said 12 hours sounds pretty good, 24 hours sounds pretty good,’ and there’s no real linkage to what the business really needs.”

Even organizations that do collect data based on priorities are doing it wrong, Pelant says. “Many business-impact analyses are really opinion surveys because nobody really wants to go through the work of really analyzing priorities,” he says. “What you do is, you send out a questionnaire and you ask somebody how important are you and how fast do you need to get back online? And so you get the wrong answer, and it’s like the old IT axiom ‘garbage in, garbage out.’ You can analyze that kind of information as much as you want, but it’s still garbage.”

The best way to start the analysis is to conduct interviews with business managers and be sure to insert an IT disaster-recovery expert at each interview, Sarabacha says.

“One thing we’re doing with a client right now that I think is very positive is, they have their IT disaster-recovery leader sitting in on each and every one of the BIA [business-impact analysis] interviews with the business-process owners. So they’re really able to provide feedback on the systems and applications that support that process as you’re hearing from the business side. As opposed to keeping it all siloed, [they’re] really bringing IT and business to the table at the same time as you’re doing the analysis. So as the results come out, there’s much less time to buy in, and everything is more consistent on the first round.”

Throughout the process, Sarabacha encourages IT staffers to be more disciplined about opening up system data and explaining application interdependencies to business leaders who use these applications and must prioritize their need for an individual application in an emergency situation.

“As you’re doing this process, inconsistencies in the way things are done and what things are called are one of the big problems. Some companies, for instance, have pet names for their applications, and the one person in IT who really knows what [they are] knows that there are actually six applications behind that,” Sarabacha says. “The person in the business just knows it as the pet name and doesn’t really know what they’re talking about. That whole discussion around their requirements is kind of vague and uncertain because nobody knows what they’re talking about. And if IT can provide data from reports and other systems on what each application is, what the feeders are, and offer data-flow diagrams, that would be incredibly helpful to the business side.”

The business-impact analysis process is also a time to think creatively about how to utilize existing operations and infrastructure to improve recovery time with an acceptable budget.

“It takes creativity because you’re not going to reduplicate a department to be standing by waiting to pick up the pieces in case your primary department is interrupted,” Pelant says.

Instead, some organizations are looking at triangulating multiple offices or sites so that one can act as a backup for the other without incurring extra cost.

“It gets away from looking at it as insurance and actually building business continuity into the operational activities of the organization,” Sarabacha says.